In a SaaS deployment model, software providers host the software on cloud service providers’ servers. Users purchase appropriate licenses through the SaaS provider to access the software and its associated services. There is no need for users to install, deploy, or upgrade the software on their own systems; they simply log in to enjoy the convenience of its functionality.
Since services and data are hosted in the cloud rather than on local servers, users may worry about whether their data is adequately protected. In this article, we discuss the key security concerns associated with SaaS and explain how to assess the security capabilities of SaaS providers when selecting a SaaS-based ELN, focusing on aspects like basic security, environmental security, application security, data security, compliance, and the division of security responsibilities.
- Public vs. Private Cloud Deployment
Public cloud platforms generally offer greater availability, security, and scalability compared to private cloud platforms. It’s recommended to prioritize well-established public cloud platforms such as AWS, Ali Cloud, or Microsoft Azure, etc.
- Security Management Qualifications of Third-Party Providers
When selecting a SaaS platform, it’s essential to assess the basic security capabilities, protection measures, and qualifications of the third-party SaaS provider.
Take AWS as an example. AWS is a globally recognized cloud platform that holds top security certifications, including ISO27001. AWS also adheres to strict data protection standards such as GDPR compliance, and provides services that meet numerous regulatory requirements globally. AWS security measures include physical and environmental security, baseline security, disaster recovery, and business continuity. AWS is widely regarded as one of the most secure and trustworthy cloud platforms on the market.
All business platforms of iLabPower Innovation Cloud Community are deployed on the AWS IAAS platform, utilizing AWS services such as computing, networking, and storage. The iLabPower Innovation Cloud Community relies on AWS’s robust security solutions, including AWS’s cloud firewall, to ensure top-level network security, comparable to the security measures used by AWS itself.
- Security Measures for SaaS Applications
The security of the SaaS platform does not automatically extend to the SaaS applications. The applications themselves must have robust security measures in place. For example, in the iLabPower Innovation Cloud Community, SaaS products implement security at various levels: network, database, environment, personnel, and operating systems. Key measures include:
(1) User Access
- Access Interface Security
- Secure https protocol (SSL encryption) is employed.
- URL encryption via algorithms.
- Privilege Security
- Login passwords are encrypted, and each account is linked to a specific device.
- Role-based authorization limits access based on employees’ business system roles.
- Access Control
- Unique accounts for employees, preventing login by departed staff.
- Error protection mechanisms for login credentials.
- Audit logs and access records are backed up for auditing purposes.
(2) Data Security
- Ensuring read-write separation for data integrity.
- Utilizing a high-availability system with hot standby on two servers.
- Creating distributed databases to avoid resource bottlenecks.
- Implementing lightweight distributed file systems for mass storage and load balancing.
- Regular system inspections, data backups, and anti-tampering measures.
- Organizational and Personnel Security
Organizational Security: The Innovation Cloud Community team consists of dedicated security teams across design, R&D, and maintenance.
Personnel Security: Employees adhere to relevant laws and policies, and have the knowledge and expertise to perform their duties securely.
Delivery Security: Security is ensured throughout the product lifecycle, from design to deployment and maintenance.
R&D and Maintenance Security: The R&D and maintenance teams work collaboratively on the platform’s architecture, business logic, and ongoing security improvements.
Disaster Recovery and Business Continuity: The system includes disaster recovery plans to minimize service interruptions and data loss.
- Regular Penetration Testing
SaaS platforms must regularly conduct penetration tests and provide security reports from accredited security vendors.
- Data Privacy and Regulatory Compliance
All data on a SaaS platform, including administrative access logs, should be regularly audited. Compliance assessments help ensure adherence to regulations and appropriate security protocols.
The ownership of user data on a SaaS platform remains with the user. SaaS providers cannot use or sell the data without user consent, and are responsible for securely destroying historical data when no longer needed. SaaS providers also bear responsibility for compensating users in case of data breaches or losses.
iLabPower Innovation Cloud Community’s Privacy Policy clearly outlines how user data is collected, used, stored, and protected, offering transparency and control to users over their data.
- Multi-Tenant Data Segregation
SaaS is based on a multi-tenant architecture, where data from different users may be stored in the same environment. Providers must ensure strict data isolation, preventing one user from accessing another’s data. In the case of AWS, network isolation is implemented for each deployment, and measures like trusted packet filters, rate limiting, and anti-spoofing protect tenant data.
For example, communication between virtual machines (VMs) is always routed through trusted packet filters. VMs cannot capture network traffic that is not destined for them. AWS further ensures that VMs within a virtual private network have isolated address spaces that cannot be accessed by external VMs unless specifically configured.
- Division of Security Responsibilities
In the SaaS model, security compliance responsibilities are shared between the SaaS provider and the customer. For instance, if a security issue arises due to a vulnerability in the application system, the responsibility lies with the provider. However, if the issue results from weak passwords or identity theft by the user, the responsibility falls on the tenant.